Tailscale使用以及搭建自己的derp中继服务器

Tailscale安装

各平台在这个页面对应点击下载安装(https://tailscale.com/download/)

有UI的平台都比较容易,主要记录一下Linux server 加入Tailscale网络的过程,以Debian 11 为例

  1. Add Tailscale’s package signing key and repository:
curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/focal.noarmor.gpg | sudo tee /usr/share/keyrings/tailscale-archive-keyring.gpg >/dev/null
curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/focal.tailscale-keyring.list | sudo tee /etc/apt/sources.list.d/tailscale.list
  1. Install Tailscale:
sudo apt-get update
sudo apt-get install tailscale
  1. Connect your machine to your Tailscale network and authenticate in your browser:
sudo tailscale up

在这一步将命令行的连接复制到浏览器打开认证即可。并且可以通过--advertise-routes来设置子网转发,例如sudo tailscale up --advertise-routes=10.0.0.0/24,10.0.1.0/24

  1. You’re connected! You can find your Tailscale IPv4 address by running:
tailscale ip -4

搭建derp中继服务器(Docker)

Dockerfile

FROM golang:1.19
# 在国内可以加上这行使用国内源
# RUN go env -w  GOPROXY=https://goproxy.cn,direct
RUN go install tailscale.com/cmd/derper@main
ENTRYPOINT ["/go/bin/derper"]

构建镜像

docker build . -t derper:latest

docker运行derper服务

docker run -d --name derper -p 8001:8001 -p 3478:3478 derper -a :8001

使用--verify-clients参数开启验证,防止他人使用我们的derper,开启客户端验证的话需要该derper也是Tailscale节点

docker run -d --name derper \
-v /var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock \
-p 8001:8001 -p 3478:3478 
derper -a :8001 --verify-clients

使用nginx配置https并代理derper,以域名derper.example.com为例,在/etc/nginx/conf.d/derper.example.com.conf文件中写入如下配置

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  ssl_certificate     /data/ssls/derper.example.com/derper.example.com.pem;
  ssl_certificate_key /data/ssls/derper.example.com/derper.example.com.key;

  server_name derper.example.com;
  client_max_body_size 500M;

  location / {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $host;
    proxy_pass http://127.0.0.1:8001;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }
}

relaod配置

nginx -s reload

配置 acls

https://login.tailscale.com/admin/acls

...

  "derpMap": {
		"OmitDefaultRegions": true,
		"Regions": {
			"900": {
				"RegionID":   900,
				"RegionCode": "myderp",
				"Nodes": [
					{
						"Name":     "1",
						"RegionID": 900,
						"HostName": "derper.example.com",
						"STUNPort": 3478,
						"DERPPort": 443,
					},
				],
			},
		},
	},

...